[Saved Queries] Rework saved query privileges

config/serverless.es.yml

@@ -48,11 +48,11 @@ xpack.fleet.internal.registry.excludePackages: [
 ## Fine-tune the search solution feature privileges. Also, refer to `serverless.yml` for the project-agnostic overrides.
 xpack.features.overrides:
   ### Dashboards feature is moved from Analytics category to the Search one.
-  dashboard.category: "enterpriseSearch"
+  dashboard_v2.category: "enterpriseSearch"
   ### Dev Tools feature is moved from Analytics category to the Search one.
   dev_tools.category: "enterpriseSearch"
   ### Discover feature is moved from Analytics category to the Search one.
-  discover.category: "enterpriseSearch"
+  discover_v2.category: "enterpriseSearch"
   ### Machine Learning feature is moved from Analytics category to the Management one.
   ml.category: "management"
   ### Stack Alerts feature is moved from Analytics category to the Search one renamed to simply `Alerts`.
@@ -131,4 +131,4 @@ xpack.observabilityAIAssistant.scope: "search"
 aiAssistantManagementSelection.preferredAIAssistantType: "observability"
 xpack.observabilityAiAssistantManagement.logSourcesEnabled: false
 xpack.observabilityAiAssistantManagement.spacesEnabled: false
-xpack.observabilityAiAssistantManagement.visibilityEnabled: false
+xpack.observabilityAiAssistantManagement.visibilityEnabled: false

config/serverless.oblt.yml

@@ -30,7 +30,7 @@ xpack.features.overrides:
         - feature: "observability"
           privileges: [ "read" ]
   ### Dashboards feature should be moved from Analytics category to the Observability one.
-  dashboard.category: "observability"
+  dashboard_v2.category: "observability"
   ### Discover feature should be moved from Analytics category to the Observability one and its privileges are
   ### fine-tuned to grant access to Observability app.
   discover:
@@ -44,6 +44,17 @@ xpack.features.overrides:
       read.composedOf:
         - feature: "observability"
           privileges: [ "read" ]
+  discover_v2:
+    category: "observability"
+    privileges:
+      # Discover `All` feature privilege should implicitly grant `All` access to Observability app.
+      all.composedOf:
+        - feature: "observability"
+          privileges: [ "all" ]
+      # Discover `Read` feature privilege should implicitly grant `Read` access to Observability app.
+      read.composedOf:
+        - feature: "observability"
+          privileges: [ "read" ]
   ### Fleet feature privileges are fine-tuned to grant access to Logs app.
   fleetv2:
     privileges:
@@ -224,4 +235,4 @@ xpack.ml.compatibleModuleType: 'observability'
 console.ui.embeddedEnabled: false
 
 # Disable role management (custom roles)
-xpack.security.roleManagementEnabled: false
+xpack.security.roleManagementEnabled: false

config/serverless.security.yml

@@ -16,8 +16,10 @@ xpack.inventory.enabled: false
 xpack.features.overrides:
   ### Dashboard feature is hidden in Role management since it's automatically granted by SIEM feature.
   dashboard.hidden: true
+  dashboard_v2.hidden: true
   ### Discover feature is hidden in Role management since it's automatically granted by SIEM feature.
   discover.hidden: true
+  discover_v2.hidden: true
   ### Machine Learning feature is moved from Analytics category to the Security one as the last item.
   ml:
     category: "security"
@@ -28,25 +30,29 @@ xpack.features.overrides:
       ### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and
       ### Visualize features.
       all.composedOf:
-        - feature: "discover"
+        - feature: "discover_v2"
           privileges: [ "all" ]
-        - feature: "dashboard"
+        - feature: "dashboard_v2"
           privileges: [ "all" ]
-        - feature: "visualize"
+        - feature: "visualize_v2"
           privileges: [ "all" ]
-        - feature: "maps"
+        - feature: "maps_v2"
+          privileges: [ "all" ]
+        - feature: "savedQueryManagement"
           privileges: [ "all" ]
       # Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and
       # Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover,
       ### Dashboard, and Visualize apps.
       read.composedOf:
-        - feature: "discover"
+        - feature: "discover_v2"
+          privileges: [ "read" ]
+        - feature: "dashboard_v2"
           privileges: [ "read" ]
-        - feature: "dashboard"
+        - feature: "visualize_v2"
           privileges: [ "read" ]
-        - feature: "visualize"
+        - feature: "maps_v2"
           privileges: [ "read" ]
-        - feature: "maps"
+        - feature: "savedQueryManagement"
           privileges: [ "read" ]
 
 ## Cloud settings

config/serverless.yml

@@ -16,16 +16,40 @@ xpack.features.overrides:
     privileges:
       ### Dashboard's `All` feature privilege should implicitly grant `All` access to Maps and Visualize features.
       all.composedOf:
-        - feature: "maps"
+        - feature: "maps_v2"
           privileges: [ "all" ]
-        - feature: "visualize"
+        - feature: "visualize_v2"
           privileges: [ "all" ]
       ### Dashboard's `Read` feature privilege should implicitly grant `Read` access to Maps and Visualize features.
       ### Additionally, it should implicitly grant privilege to create short URLs in Visualize app.
       read.composedOf:
-        - feature: "maps"
+        - feature: "maps_v2"
           privileges: [ "read" ]
-        - feature: "visualize"
+        - feature: "visualize_v2"
+          privileges: [ "read" ]
+    ### All Dashboard sub-feature privileges should be hidden: reporting capabilities will be granted via dedicated
+    ### Reporting feature and short URL sub-feature privilege should be granted for both `All` and `Read`.
+    subFeatures.privileges:
+      download_csv_report.disabled: true
+      generate_report.disabled: true
+      store_search_session.disabled: true
+      url_create:
+        disabled: true
+        includeIn: "read"
+  dashboard_v2:
+    privileges:
+      ### Dashboard's `All` feature privilege should implicitly grant `All` access to Maps and Visualize features.
+      all.composedOf:
+        - feature: "maps_v2"
+          privileges: [ "all" ]
+        - feature: "visualize_v2"
+          privileges: [ "all" ]
+      ### Dashboard's `Read` feature privilege should implicitly grant `Read` access to Maps and Visualize features.
+      ### Additionally, it should implicitly grant privilege to create short URLs in Visualize app.
+      read.composedOf:
+        - feature: "maps_v2"
+          privileges: [ "read" ]
+        - feature: "visualize_v2"
           privileges: [ "read" ]
     ### All Dashboard sub-feature privileges should be hidden: reporting capabilities will be granted via dedicated
     ### Reporting feature and short URL sub-feature privilege should be granted for both `All` and `Read`.
@@ -45,23 +69,36 @@ xpack.features.overrides:
       url_create:
         disabled: true
         includeIn: "read"
+  discover_v2:
+    ### All Discover sub-feature privileges should be hidden: reporting capabilities will be granted via dedicated
+    ### Reporting feature and short URL sub-feature privilege should be granted for both `All` and `Read`.
+    subFeatures.privileges:
+      generate_report.disabled: true
+      store_search_session.disabled: true
+      url_create:
+        disabled: true
+        includeIn: "read"
   ### Shared images feature is hidden in Role management since it's not needed.
   filesSharedImage.hidden: true
   ### Maps feature is hidden in Role management since it's automatically granted by Dashboard feature.
-  maps.hidden: true
+  maps_v2.hidden: true
   ### Reporting feature is supposed to give access to reporting capabilities across different features.
   reporting:
     privileges:
       all.composedOf:
-        - feature: "dashboard"
+        - feature: "dashboard_v2"
           privileges: [ "download_csv_report" ]
-        - feature: "discover"
+        - feature: "discover_v2"
           privileges: [ "generate_report" ]
   ### Visualize feature is hidden in Role management since it's automatically granted by Dashboard feature.
   visualize:
     hidden: true
     ### The short URL sub-feature privilege should be always granted.
     subFeatures.privileges.url_create.includeIn: "read"
+  visualize_v2:
+    hidden: true
+    ### The short URL sub-feature privilege should be always granted.
+    subFeatures.privileges.url_create.includeIn: "read"
 
 # Cloud links
 xpack.cloud.base_url: 'https://cloud.elastic.co'
@@ -233,4 +270,4 @@ discover.enableUiSettingsValidations: true
 ## Data Usage in stack management
 xpack.dataUsage.enabled: true
 # This feature is disabled in Serverless until fully tested within a Serverless environment
-xpack.dataUsage.enableExperimental: ['dataUsageDisabled']
+xpack.dataUsage.enableExperimental: ['dataUsageDisabled']

docs/concepts/save-query.asciidoc

@@ -17,9 +17,9 @@ which include the *Discover* configuration—selected columns in the documen
 Discover sessions are primarily used for adding search results to a dashboard.
 
 [role="xpack"]
-==== Read-only access
-If you have insufficient privileges to save queries,
-the *Save* button isn't visible in the saved query management popover.
+==== Saved query access
+If you have insufficient privileges to manage saved queries,
+you will be unable to load or save queries from the saved query management popover.
 For more information, see <<xpack-security-authorization, Granting access to Kibana>>
 
 ==== Save a query

docs/setup/configuring-reporting.asciidoc

@@ -109,11 +109,11 @@ PUT <kibana host>:<port>/api/security/role/custom_reporting_user
 		"spaces": ["*"],
 		"base": [],
 		"feature": {
-			"dashboard": ["generate_report",  <1>
+			"dashboard_v2": ["generate_report",  <1>
       "download_csv_report"], <2>
-      "discover": ["generate_report"], <3>
+      "discover_v2": ["generate_report"], <3>
 			"canvas": ["generate_report"], <4>
-			"visualize": ["generate_report"] <5>
+			"visualize_v2": ["generate_report"] <5>
 		}
 	}]
 }
@@ -146,8 +146,8 @@ PUT localhost:5601/api/security/role/custom_reporting_user
     {
       "base": [],
       "feature": {
-        "dashboard": [ "all" ], <1>
-        "discover": [ "all" ], <2>
+        "dashboard_v2": [ "all" ], <1>
+        "discover_v2": [ "all" ], <2>
       },
       "spaces": [ "*" ]
     }

docs/upgrade-notes.asciidoc

@@ -151,6 +151,23 @@ We would love to discuss your use case.
 
 ====
 
+[discrete]
+[[breaking-202863]]
+.Saved query privileges have been reworked (9.0.0)
+[%collapsible]
+====
+*Details* +
+Saved query privileges have been reworked to rely solely on a single global `savedQueryManagement` privilege, and eliminate app-specific overrides (e.g. implicit access with `all` privilege for Discover, Dashboard, Maps, and Visualize apps). This change simplifies the security model and ensures consistency in the saved query management UI across Kibana, but results in different handling of saved query privileges for new user roles, and minor breaking changes to the existing management UX.
+For more information, refer to {kibana-pull}202863[#202863].
+*Impact* +
+The `savedQueryManagement` feature privilege now globally controls access to saved query management for all new user roles. Regardless of privileges for Discover, Dashboard, Maps, or Visualize, new user roles follow this behaviour:
+. If `savedQueryManagement` is `none`, the user cannot see or access the saved query management UI or APIs.
+. If `savedQueryManagement` is `read`, the user can load queries from the UI and access read APIs, but cannot save queries from the UI or make changes to queries through APIs.
+. If `savedQueryManagement` is `all`, the user can both load and save queries from the UI and through APIs.
+*Action* +
+Existing user roles that were previously implicitly granted access to saved queries through the dashboard, discover, visualize, or maps feature privileges will retain that access to prevent breaking changes. While no action is required for existing roles, it’s still advisable to audit relevant roles and re-save them to migrate to the latest privileges model. For new roles, ensure that the savedQueryManagement privilege is set as needed.
+====
+
 [float]
 === Deprecation notices
 

docs/user/security/authorization/kibana-privileges.asciidoc

@@ -65,8 +65,8 @@ PUT /api/security/role/my_kibana_role
     {
       "base": [],
       "feature": {
-        "visualize": ["all"],
-        "dashboard": ["read", "url_create"]
+        "visualize_v2": ["all"],
+        "dashboard_v2": ["read", "url_create"]
       },
       "spaces": ["marketing"]
     }

examples/state_containers_examples/public/with_data_services/app.tsx

@@ -98,7 +98,7 @@ export const App = ({
             showSearchBar={true}
             indexPatterns={[dataView]}
             useDefaultBehaviors={true}
-            saveQueryMenuVisibility="allowed_by_app_privilege" // allowed only for this example app, use `globally_managed` by default
+            allowSavingQueries
           />
           <EuiPageTemplate.Section>
             <EuiText>